General
-
Target
krampus.zip
-
Size
263KB
-
Sample
240427-ns52kahf76
-
MD5
ae1de090714d6d4a4cd848dbbe057404
-
SHA1
d632f84ec7896e36efc5e824f9d9075ab82884f6
-
SHA256
ccd54a983fb9a6c4dad13f51f549712c80dd082dd984292137640d14bfe44bf9
-
SHA512
deecf7e8569382ae4a08cbdb028ab871bfb060a4ddb9b6d10138f41116b005fcf2090b00b26faeb61fe477f7c65bbf1970e638cc26ff31845a962c65cfc680d9
-
SSDEEP
6144:7Jem5K8LMK4wwr3zIIEBBNfNgFGaUX6mGPTTLtAyZ0KlIS5:9Z5Kw/wrj1wfxZsTLtwk5
Static task
static1
Behavioral task
behavioral1
Sample
krampus.zip
Resource
win11-20240426-en
Behavioral task
behavioral2
Sample
Ro-exec/READ ME (ro-exec).txt
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
Ro-exec/ezdebug.png
Resource
win11-20240419-en
Behavioral task
behavioral4
Sample
Ro-exec/loader-upd.bat
Resource
win11-20240426-en
Malware Config
Extracted
xworm
-
Install_directory
%Public%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/UWpQULMP
Targets
-
-
Target
krampus.zip
-
Size
263KB
-
MD5
ae1de090714d6d4a4cd848dbbe057404
-
SHA1
d632f84ec7896e36efc5e824f9d9075ab82884f6
-
SHA256
ccd54a983fb9a6c4dad13f51f549712c80dd082dd984292137640d14bfe44bf9
-
SHA512
deecf7e8569382ae4a08cbdb028ab871bfb060a4ddb9b6d10138f41116b005fcf2090b00b26faeb61fe477f7c65bbf1970e638cc26ff31845a962c65cfc680d9
-
SSDEEP
6144:7Jem5K8LMK4wwr3zIIEBBNfNgFGaUX6mGPTTLtAyZ0KlIS5:9Z5Kw/wrj1wfxZsTLtwk5
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
Ro-exec/READ ME (ro-exec).txt
-
Size
1KB
-
MD5
1f9c507519361f7b7cc8fc3d66212a68
-
SHA1
6119fef9df683505e941aeb6ea425c4247d388b7
-
SHA256
6b8772efbde31f7905ea54ddf51e4d8e3cb7ea49763215fa8cab88357885d9ff
-
SHA512
c0193bd5e43650fe5fed86ebe6329c903e5c820629826447c033d2b561ccca9f912a1663d8379d9cbb732691b4c65160f6a3d4eff996f6fff86d0ea41b7c3922
Score3/10 -
-
-
Target
Ro-exec/ezdebug.png
-
Size
49KB
-
MD5
654dfa5c392f08728a7acc79587ecdd1
-
SHA1
56a1abc7ac86e7275c8fac870700417d724c66ea
-
SHA256
65792581029de7e992a20f67e1ebca3031c258e743f0f6f0f29d60f880573c32
-
SHA512
2c30c6972686a03e6c5fc89a024eaf3ceeb81b1fd8c19e2f8c652effa4e1e0e7171dfe1d17f95ad2e623ce5dfd80242489ffb3294f1928382ebae41ce764abb7
-
SSDEEP
1536:kNfMc6jr372U55shDVmWcEaOH5UWRxrL5PYpBv:kNf67glVmWcz+7RxZYpR
Score3/10 -
-
-
Target
Ro-exec/loader-upd.bat
-
Size
295KB
-
MD5
e0b1638feea307a3afbeacaec7fd506c
-
SHA1
16d849c8f90412a612e1fc0eed6e406f076d4099
-
SHA256
34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e
-
SHA512
795e2418636e320eb8cd381066ac5ef4ef479b770d1bab1a7221aba15d7fa9e7d54b996dac1b93fa9068e57c5ee369fd5024ce916c6de07e48f1ff8d51863a5e
-
SSDEEP
6144:yll7goJPFab7YvftLMYUQK4UHF8WkA0dXTwxl:MlnabilLMYHbTDlSl
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-